Privacy Concerns with Zoom’s Terms of Service Update

Written By :

Category :

Blog

,

Consulting

Posted On :

Share This :

Once again, people who ought to know better are creating panic and hysteria about Zoom privacy and security.  

 
Being concerned with how companies are protecting and securing our data and privacy is important.  What’s also important is that we remain level headed and properly wade past alarmist fiction and misinformation to understand the real risks.

As an ex Zoom employee who worked there through the first barrage of sensational claims, and now the Founder and CEO of a company that sells Zoom along with most of their biggest competitors, please allow me to help you walk through the facts and fiction on this one.

  1.  Zoom has updated their Terms of Service Agreement to keep you informed about how they are using and protecting your data relative to new advanced technologies they are bringing out to serve their customers.  

  2. Being transparent and keeping customers informed about changes is a good thing and something I greatly appreciate in any company I do business with or represent.

  3. As much as it is important for corporations to provide clear communication around important issues like data use, privacy, and security (which they haven’t done the best job with communicating IMHO), it is also incumbent upon us the customers to review and understand the changes and assess the risks versus benefits relative to the alternatives, and to make the best decisions for our companies.  

  4. One of the areas of concern (hysteria and misinformation aside) was that Zoom may be using your customer data (your zoom calls) to train their AI models. 
    •  Zoom has since clarified for certainty that notwithstanding the rest of Section 10.4 that “Zoom will not use audio, video or chat Customer Content to train our artificial intelligence models without your consent.
Zoom's TOU clause 10.4 confirming non use of Customer content without consent

Understanding the broader context

We’re all on a journey into brand new territory, where advanced new technologies like AI are being used to provide us with brand new services.  These services require data.  

Progress will require us to look wholistically at the opportunities before us and assess them against the potential risks.  It will be a balance.  I suggest the way forward is to always consider what concerned privacy and security protectors are pointing to, and to push past whatever sensational headlines, fearmongering, or misinformation there may be, and carefully examine the true risks and to asses against the potential benefits –not to spread panic and false information as many are doing.  

Here is my assessment of the broader context.

  1. Zoom is by many accounts the absolute leader in video and unified communications and is relied on heavily by many of the world’s largest and most security and privacy concerned companies in the world including the list below.  Keep this in mind when you think about the scrutiny that goes on by these large institutions and how you benefit from their size, needs for privacy and security, as well as their large influence and resources to protect themselves, their data, and their customers.

    • 86% of the Fortune100
    • 8 out of 10 of the largest U.S. banks
    • More than 50% of the world’s banks
    • 9 of the top 10 hospitals ranked by US News
    • Many of the world’s largest governments including the US and Canada

  2. Zoom has A LOT of advanced features that many of the other vendors in their industry don’t have. These features are designed to make your meetings more productive and effective, and create happier employees and customers. Some of these advanced features are things like:
    • Transcriptions
    • Translations
    • AI based services like:
      • Automated Meeting Summaries
      • Conversation analysis allowing you to coach your staff and improve customer experience
      • Content generation (i.e. automated chat or email composition)

  3. Perfecting these advanced features for your use requires lots of data –your data, and depersonalized aggregated data (Zoom’s data.  Metadata about your data).  These are two very different things and shouldn’t be conflated as many who should know better are doing.
    • You can’t have great AI tools without data.  The more high quality data the AI gets trained on the better the AI can provide you with value.
    • You can’t receive good output from a system or AI without providing good input (i.e. your data). 
      • For instance, you can’t have automatic meeting summaries to save each of your 200 sales reps 20 minutes of CRM entry per call if you don’t give the system access to the calls so it can summarize them for you.

  4. The question in my mind therefore is not if a provider will use my data to provide me with service, but rather how well they will secure my data and if they share it with others.  This is where you can look to the vendor’s track record of maintaining trust in this area and their transparency about how they will use and protect your data (i.e. the Terms of Use and Privacy Policy).
    • In Zoom’s case they maintain that they do not share your data with 3rd parties except for specific cases as outlined in sections we’ll get to below.
    • Again, they maintain they will not use your data for training their AI models without your consent.

 

What if we don’t need any “advanced features”?

Now before we get to scrutinizing the privacy policy changes, let me say this:

  1. If you don’t want to use these advanced features then don’t use them.  Administrators can turn them off and your staff won’t be able to use them –even if they could really benefit from these tools to make their lives easier, more efficient and productive to better achieve their company goals and beat the competition (who you can bet will be using every advanced feature at their disposal).

  2. As such I recommend that IT, InfoSec, or Legal, should not be making this decision for the company, but raising their concerns to let the business leaders decide based on their risk versus benefit assessments and based on what they want in terms of creating the best employee and customer experiences.
    • Also, keep in mind that every SaaS provider you use (whether they provide you with any kind of advanced AI features or not), will require your data.  This goes for all of Zoom’s competitors, so make sure your company is being just as concerned and diligent about privacy and security with any alternatives they want you to consider.

  3. Even if every advanced Zoom feature was enabled as a default, you can still choose to make any meeting an End to End Encrypted meeting in which case Zoom will have no ability to use any of your call content to better serve you.  
    • Nobody but the participants themselves will have access to the meeting, and these concerns about data privacy become moot.  This means no cloud recordings, no transcriptions, no translations, and certainly no advanced AI features like meeting summaries, auto generated content, or conversational analysis.  If you choose to record such a sensitive call on your own computers then it becomes your responsibility to ensure privacy and security are maintained.  Your people and systems better be up to the task, otherwise don’t allow recordings at all.
A screenshot of ZoomIQ
Zoom’s Conversational Intelligence tool: ZoomIQ uses AI to help your sales and service teams improve the way they communicate and serve your clients. It provides coaching for reps and managers alike.

Separating the truth from the misinformation:

  1. False Claim: “Zoom is using your customer calls to train its AI and you can’t opt out”
      • Truth:  If enabled by your admins, Zoom will use your customer calls to provide you with AI generated output.  
      • Some of their AI tools will provide you with the option to share data back to Zoom for the benefit of training the model at large.   You can choose to opt out of this as Zoom’s blog post shows.
      • Once again, they have confirmed in section 10.4 of their Terms of Use that notwithstanding the rest of Section 10.4 that “Zoom will not use audio, video or chat Customer Content to train our artificial intelligence models without your consent. ”

  2. Conflating Customer Content with Service Generated Data.
    • These are two different things and should not be conflated. 
    • Customer Content is your data.  See section 10.4 and 10.6 of Zoom’s Terms of Use policy
    • Service Generated Data is not your data.  It’s Zoom’s meta data about your data.  
    • To be fair to those getting confused, Zoom’s 10.2 clause explaining Service Generated Data is not well defined in my opinion and I’ve flagged this up with their executive team for them to review.  Point number 2 of Zoom’s blog post on this issue does a better job explaining what SGD is so you can refer to that in the meantime.

Reviewing the Terms of Use Changes:

Section 10.4 of Zoom’s Terms of Use agreement  is you giving Zoom license to use your data for three reasons as follows:

  1. “as may be necessary for Zoom to provide the Services to you, including to support the Services; “

  2. “for the purpose of product and service development, marketing, analytics, quality assurance, machine learning, artificial intelligence, training, testing, improvement of the Services, Software, or Zoom’s other products, services, and software, or any combination thereof; and “

  3. “for any other purpose relating to any use or other act permitted in accordance with Section 10.3.”

Now if you’re concerned with these (especially reasons 2 and 3) and I think that’s completely fair by the way, then I recommend:

  1. Look into whether the benefits outweighs the risks.  I suspect in most cases they will, but consult with your users who can benefit from these features.  If the benefits don’t outweigh the risks, then have your Zoom Administrator disable these advanced features.

  2. If you want to use these advanced features but don’t trust Zoom, let’s see if we can find an alternative that works better for you.  Not basing your moves on alarmist headlines or posts, but because you’re going to scrutinize their privacy and security policies as well and complete a risk/benefit analysis.

Now reason 3 is the one that actually gets a bit challenging as we’ll have to refer to Section 10.3 and subsequent pages to see what else we’re agreeing to.  You can read it for yourself but essentially Section 10.3 gives Zoom the right to do many things with your data with the following stipulations:

  • “(i) in accordance with this Agreement and as required to perform our obligations under this Agreement; 
  • (ii) in accordance with our Privacy Statement
  • (iii) as authorized or instructed by you; 
  • (iv) as permitted or required by Law; 
  • (v) for trust and safety purposes, including monitoring and enforcing our Acceptable Use Guidelines; or 
  • (vi) to protect the rights, property, or security of Zoom, its end users, customers, or the public, including systems and networks.”

     

Conclusion

Now I’m not a lawyer, and I’m most certainly not your lawyer, but as a conclusion my advice to you is this:

  1. Don’t freak out.  
  2. Don’t believe every post you read online –not even ones written by security professionals and people you think should know what they’re talking about.  Instead…
  3. Read the agreements and policy changes for yourself and consult experts to help you understand the risk/benefit equation.
  4. If you’re still uncomfortable with how your data will be protected, used, or shared, then proceed to steps 5 and 6 below and begin to assess other options and alternatives that can help you create the best possible outcomes you want for your business.  Our company can help you with this.
  5. Don’t enable features that you’re not comfortable giving up your data for.
  6. Use End to End Encryption to secure any highly sensitive Zoom meetings where zero trust can be afforded.  Maybe for some people currently experiencing low trust issues, that’s all of your meetings.  For others, that’s probably just your highly sensitive meetings that  you can’t take any chances with.  Let us know if we can help you get this feature enabled.

If you would like help assessing your company’s needs in regards to finding the best Communications Technology please contact us.  Keep in mind that we have a strong bias for helping you create the absolute best employee and customer experiences.  We’ll work with your Legal and InfoSec teams to find the best balance between risk and benefit –just as the largest companies in the world who benefit from advanced technologies do.